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Abstract 


In this paper, we develop and formally verify practical algorithms for recovery from 
loss of separation. The formal verification is performed in the context of a criteria- 
based framework. This framework provides rigorous definitions of horizontal and 
vertical maneuver correctness that guarantee divergence and achieve horizontal and 
vertical separation. The algorithms are shown to be independently correct, that is, 
separation is achieved when only one aircraft maneuvers, and implicitly coordinated, 
that is, separation is also achieved when both aircraft maneuver. In this paper we 
improve the horizontal criteria over our previous work. An important benefit of 
the criteria approach is that different aircraft can execute different algorithms and 
implicit coordination will still be achieved, as long as they all meet the explicit 
criteria of the framework. Towards this end we have sought to make the criteria as 
general as possible. The framework presented in this paper has been formalized and 
mechanically verified in the Prototype Verification System (PVS). 
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Figure 1. Criteria-based algorithm verification 


1 Introduction 

As the density of the national airspace increases, conflicts involving multiple aircraft 
will also increase. Inevitably there will be situations where even the tactical state- 
based conflict detection algorithms will not be able to prevent a loss of separation 
(LoS). Although algorithms have been developed that have been formally verified 
to provide coordinated and independent solutions, e.g., [2,3], these proofs assume 
that there are at most two aircraft in conflict. Furthermore, these proofs make 
other idealistic assumptions: (1) that aircraft state data is perfectly known, (2) 
the translation of the mathematical algorithms into executable programs is without 
error, (3) the pilots execute the maneuvers as directed by the software and do so 
within a suitable amount of time, and (4) the aircraft have adequate performance to 
achieve the recommended solutions before a loss of separation occurs. It is therefore 
essential that robust algorithms for recovery from LoS be designed and verified. 

In our previous work [1], we developed a criteria-based framework for reasoning 
about LoS algorithms. We first developed a formal specification of what it means for 
an algorithm to be correct. Then, rather than proceed immediately to an algorithm 
that satisfies the correctness property, we proposed an intermediate level called the 
criteria level. The verification process is thereby decomposed into two steps: (1) 
the criteria to correctness proof and (2) the algorithm to criteria proof. The first 
step is accomplished once and for all, while the second step is performed for each 
new algorithm that is developed. This approach is illustrated in Figure 1. 

We have separate concepts of correctness and, therefore, separate criteria for 
the horizontal and vertical dimensions. There is a formal proof that the horizontal 
criteria satisfies the horizontal correctness property and a formal proof that the ver- 
tical criteria satisfies the vertical correctness property. Many different algorithms 
can then be shown to satisfy the criteria and thereby inherit the correctness asso- 
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dated properties. One interesting consequence is that all possible combinations of 
the algorithms that meet the criteria will all have coordinated solutions. We believe 
that this is a very powerful enabler for distributed conflict detection and resolution. 
Each aircraft can execute its own algorithm as long as it satisfies the criteria. This is 
in stark contrast to the approach used in TCAS II where every aircraft is mandated 
to execute exactly the same algorithm. Another goal of this endeavor was to push 
most of the verification burden into the criteria-to-correctness proof so as to simplify 
the individual proofs of the algorithms. We were able to achieve this goal in the 
previous work for the vertical case only. In this paper we revise the criteria for the 
horizontal case in a manner that we believe achieves this goal for the horizontal case 
as well. We then proceed to develop a horizontal algorithm that satisfies the revised 
criteria. 

2 Basic Concepts 

As typical of state-based approaches, our framework is centered around the idea of 
modeling aircraft trajectories as linear functions of time into a 3-dinrensional vector 
space with coordinates x, y, and z. 

The theory is concerned with only two aircraft at a time. We will refer to one 
as the ownship and the other as the traffic aircraft. Position and velocity vectors 
for the ownship are denoted s Q and v Q , respectively. Traffic vectors are referenced 
by i, e.g., Si and Vi, and new velocity vectors are denoted by primed variables, e.g., 
vj, and V;. It is often convenient to use a relative coordinate system where the 
traffic aircraft is located at the origin of the system and is motionless. The relative 
position and velocity vectors of the ownship are denoted s and v, respectively, where 
s = s Q — Si and v = v Q — Vi. Note that vector variables are written in boldface and 
their components are referenced by sub-indices, e.g., v x , v y , and v z . 

If D and H are, respectively, the minimum horizontal and vertical separation, 
the predicates that test if the aircraft are horizontally or vertically separated are 
defined in the relative coordinate system as follows 

horizontal _separation?(s) = s 2 + s 2 > D 2 , 
vertical _separation?(s) = |s^| > H, 

separation?(s) = horizontal _separation?(s) OR vertical _separation?(s). 

Note that within the translated frame of reference, the concept of protected zone can 
be defined as a cylinder of radius D and height 2 H centered at the traffic aircraft. 

From these predicates, we define loss of separation as follows 

loss of _separation?(s) = NOT separation?(s). 

Therefore, the condition that the aircraft have lost separation can be simply ex- 
pressed as loss_of _separation?(s), where s = s Q — Sj. 

In our previous work on loss of separation [1], we proposed a concept of correct- 
ness for both horizontal and vertical resolutions in the loss of separation situation. 
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A resolution vector v Q is horizontally correct with respect to the relative position s 
and the traffic’s velocity vector Vj if and only if 

• xy_divergent?(s, v Q — Vj), and 

• horizontal_separation?(s + T/j(v 0 — Vi)), 
where horizontal divergence is defined as follows: 

xy_divergent?(s, v) = Vi : t > 0 =$■ ||s|| < ||s + fv||. 

where the norms are two dimensional over the x and y components. The parameter 
Th specifies a maximum time to recover in the horizontal dimension. A resolution 
vector v Q is vertically correct with respect to the relative position s and the traffic’s 
velocity vector Vi if and only if 

• z_divergent?(s, v Q — v;), and 

• vertical_separation?(s + T„(v 0 — vj)). 
where 

z_divergent?(s, v) = Vi : t > 0 =>■ |s^| < |s 2 + v z t\. 


3 Revised Horizontal Criteria 

In our previous work on loss of separation [1] our criteria was built around a predicate 
called dot_prop which was defined as dot_prop(s, v) = s • v > 0. The horizontal 
criteria proposed was 

criteria?(s, v 0 , Vi)(Vo) = 

V ; + Vi AND 

dot _prop?(s, Vq — v;) AND 
dot_prop?(s, v Q — v;) =>■ 

(v 0 / v ; AND dot_prop?(s, Vq - v Q ) 

OR 

(v 0 = v ; AND s • (Vq - v 0 ) > 0)). 

In this paper, we offer a revision of this criteria that is much simpler: 

criteria?(s, v 0 , Vi)(Vo) = 

s ‘ ( v o - v i) > 0 AND (1) 

s • ( v o - Vi) > s • (Vo - Vi). 

Our original criteria only dealt with the sign of the dot product while our new criteria 
involves the size of the dot product. The rationale for this criteria is clear now that 
it has been cast in this form. The first conjunction s- (v„ — Vi) > 0 insures divergence 
when the aircraft are originally convergent (see lemma dot_pos_divergent below). 
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But when the aircraft are already divergent, then some additional logic is needed to 
achieve coordination. We discovered that if we merely required that the dot product 
of the new velocity vector is greater than or equal to the current dot product then 
coordination is achieved. But this is ideal because there is no reason to allow a 
maneuver where the dot product is smaller, because that would only increase the 
time to exit. A key insight is that the time to exit is related to the magnitude of 
the dot product. 

We will now develop the formal mathematics. For convenience we define a 
predicate dot_pos?: 

dot_pos?(s, v) = s • v > 0. 

We then relate this predicate to divergence as follows: 

Theorem 3.1 (dot pos divergent). 

dot _pos?(s, v) 

xy_divergent?(s, v). 

Proof. The distance between two aircraft at time t is given by 

||s + tv||, (2) 

where v = v(, — The distance achieves a minimum where its square is a minimum, 
so we can work with the square of the distance: 

||s + tv|| 2 = 

(s + tv) • (s + tv) = (3) 

t 2 v 2 + 2t.(s ■ v) + s 2 

where we use the abbreviation u 2 = ||v|| 2 = v- v. This achieves a minimum where 
its derivative with respect to t is zero, or where 

2 tv 2 + 2(s • v) = 0. (4) 


That is, the minimum is achieved at time r: 


s • v 



( 5 ) 


From dot_pos?(s, v) we have s • v > 0, so the time of closest approach r is negative, 
i.e., in the past. Therefore, the aircraft are diverging. The proof works in the reverse 
direction as well. □ 


The following is an immediate corollary: 

Theorem 3.2 (criteria independent). 


criteria?(s, v Q , Vi)(v(,) 

=> divergent?(s, v(j — Vi). 
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Proof. The premise criteria?(s, v 0 , v;)(Vq) gives us s-(Vq— v;) >0. We instantiate 
v in lemma dot_pos_divergent (3.1) with v(j — Vi and obtain the desired conclusion. 

□ 

Lemma 3.3 (backbone). If the aircraft are originally in a divergent situation and 
s • (v 0 — Vi) < K, then for all non-negative K: 

s • (v( — Vi) > K AND 
-s • (v( - v 0 ) > K 

=► S • ( v o - v 'i) > K - 

Proof. From the premises we have 

s • v Q — s • Vi < K, 
s • v„ - s • Vi > K, 

- s ■ v'i + s • Vo > K, 
or 

s • v 0 — s • Vi < K, 

- s • v(, + s • Vi < -K, 

+ s • v( - s • Vo < —K, 

Adding these inequalities yields: 

- s • v(, + s • v'i < -K, 

or, equivalently, 

s • ( v o - v 0 > K - 

□ 


Theorem 3.4 (criteria coordinated). 

criteria?(s, v Q , Vi)(v(,) AND 
criteria?(— s, v ; , v Q )(v() 

divergent?(s, v(, — v(). 

Proof. The two premises give us: 

s • ( v o - v i) > s • ( v o - Vi). 

-s • (v* - v Q ) > -s • (Vi - v 0 ) . 

Case 1: dot_pos?(s, v Q — Vi). Applying Lemma 3.3 with K = s • (v Q — Vi), we get 

s * (Vq v'i) >K = s • (v 0 - Vi). 

From the case assumption we have s • (v Q — Vi) > 0 so s • (v(, — v' ; ) >0 and thus 
from Lemma dot_pos_divergent (3.1) we have the desired conclusion. 
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Case 2: NOT dot_pos?(s, v Q — vj). In this case we have: 

S • (v 0 - Vi) < 0, 

S • (Vo - Vi) > 0, 

-s • (v- - v 0 ) > 0. 

=>■ divergent?(s, Vq — v-). 

Expanding these, we obtain 

Sx'Vox Sy^oy b ^x^ix b Sy^iy b 0, 
^x^ox b Sy^oy Sx^ix SyViy ^ 0, 

’^x^ix Sy^iy b Sx^ox b SyV oy b 0. 

Adding these equations together yields 

s x v ox b SyV Q y — S x V ix — SyV iy > 0, 


or, more succinctly, 


s-( v o- v D 


> 0 , 


which is dot_pos?(s, vj,-vj). From Lemma dot_pos_divergent (3.1), we have the 
desired conclusion. □ 


4 Horizontal Maneuvers for Loss of Separation Recov- 
ery 

In the previous paper [1] , we proposed criteria that guaranteed divergence and a time 
to exit that was bounded. But we were never able to prove a suitable horizontal 
theorem for coordination under that criteria. Our new criteria is much simpler and 
lends itself to some simple algorithms. 

Our algorithms are based upon the idea that the time to exit the protection zone 
can be controlled by seeking solutions that solve s • (v(, — v;) = J. The larger the 
value of J, the smaller the time to exit. We will present the mathematical theory 
and then discuss methods for selecting a suitable value of J. 

4.1 Ground Speed Only 

4.1.1 Theory 

We are concerned with the situation where a loss of separation has already occurred. 
So we have: 

||s|| < D. 

We seek solutions where 

S • (Vo - Vi) = J. (6) 
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and 

Vq = k v 0 , 

in 2 dimensions. Substituting this last equation into the first, we have 


s • (h 0 - Vi) = J. 


Solving for k: 


k 


J+{ s ■ Vi) 

S • Vo 


( 7 ) 


as long as s • v 0 / 0. 


4.1.2 Algorithm 

The algorithm computes a new ground speed using equation (7). If this value is 
positive a solution is returned, otherwise a zero vector is returned. Note also that 
the calculation is guarded by a test on s • v Q / 0 to prevent a division by zero. 


l° s _g s pd(s, v 0 , Vi, J) : Vect2 = 
IF s • v 0 / 0 THEN 

k _ S • Vi + J 
S • Vo 

IF k > 0 THEN 
h Q 
ELSE 


( 0 , 0 ) 

END IF 
ELSE 

( 0 , 0 ) 

END IF 


The horizontal LoS criteria requires that 

S ' ( V o - Vi) > S • (V 0 - Vi). 

This is trivially true when the aircraft are originally convergent because s • (v Q — Vi) 
is negative and J > 0. When the aircraft are already divergent some additional 
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logic is needed: 

los_gs(s, v Q , Vj, J) : Vect2 = 

v„ = los_gspd(s, v 0 , v ; , J) 

IF v' = (0, 0) THEN 

(0,0) 

ELSIF s • (v Q — Vi) > 0 THEN 

IF s • (Vq — Vi) > s • (v 0 - Vi) THEN 
/ 

v o 

ELSE 

V 0 

END IF 
ELSE 

/ 

v o 

END IF 

Coordinated divergence is guaranteed for all values of J. But how should we choose 
a good value for J? The larger J, the more drastic the maneuver will be. We 
would like to define a normalized version of this parameter that takes on a value 
between 0 and 1 . To do this we must calculate a maximum value of the dot product 
s • (v„ — Vi) as v(j is varied. But as the ground speed is increased, the value of 
this dot product will monotonically increase or decrease because V 0 = cv Q and 
s • (cv 0 — Vi) = c(s • v 0 ) — (s • Vi) which is a linear function. Therefore, we will 
assume a maximum operational ground speed, say max_gs. Then, we calculate a 
maximum value of the dot product as follows: 

maxDot(s, v 0 , Vi) : posreal = 

max_gs 

C = — — 

||Vo|| 

m = s • (c v 0 — Vi) 

IF m / 0 THEN \m\ 

ELSE |s • (0.99c v 0 - v ; )| 

END IF 

The ELSE expression is included for the rare case where m = 0. It is easy to show 
that if m = 0, then |s • (0.99 cv Q — vi)| 7^ 0 assuming that s • v Q 7^ 0, which will 
always be the case here. The final form is 

los_gs_alg(s, v 0 , Vi) : Vect2 = 

D — I |s|| 

jo — Vgs -jj 

IF s • v 0 = 0 THEN (0,0) 

ELSE los_gs(s, v Q , Vi, jo * maxDot(s, v Q , Vi)) 


END IF 



Note that the factor eta gs is a constant between 0 and 1. It effectively decreases the 
maximum value of J. We will refer to this parameter as an aggressiveness parameter 
because it limits the severity of the manuevers. 

4.1.3 Correctness 

Lemma 4.1 (los_gs_alg_crit). //vj, = los_gs_alg(s, v Q , v;) is non-zero, then 
criteria?(s, vj, - Vi)(vj,). 

Proof. We must show that los_gs_alg satisfies the horizontal criteria (Formula 1). 
The algorithm los_gs_alg calls los_gs with a value of J = r) gs which is 

positive in the loss of separation case. We then note that los_gs calls los_gspd 
with this same positive value of J. If los_gspd returns a non-zero vector vj, then 
we know that we have s • (vj, — v;) = J > 0 (Formula 6) which satisfies the first 
condition of the criteria. The second condition of the criteria 

s ' ( v o - v i) > s ' (v 0 - Vi) 

is guaranteed by the presence of precisely this test in the los_gs function. Note 
that whenever s • (v Q — vi) is negative, this condition is true because J > 0. When 
this test fails los_gs sets vj, = v Q , which trivially satisfies this condition. □ 

Theorem 4.2 (losgsalg independent). //vj, = los_gs_alg(s, v Q , Vj) is non- 
zero, then divergent?(s, vj, — vj). 

Proof. Lemma los_gs_alg_crit 4.1 assures us that the value vj, returned by 
los_gs_alg satisfies the horizontal criteria. Then by lemma criteria_independent 
(3.2) we have the needed result. □ 

Theorem 4.3 (losgsalg coordinated). //vj, = los_gs_alg(s, v Q , v;) is non- 
zero, and vj = los_gs_alg(— s, Vi, v 0 ) is non-zero, then divergent?(s, vj, — vj). 

Proof. Lemma los_gs_alg_crit 4.1 assures us that both vj, and vj satisfy the 
horizontal criteria. Then the premises of lemma criteria_coordinated (3.4) are 
satisfied and we have the desired result. □ 


4.2 Track Only Solutions 
4.2.1 Theory 

We are concerned with the situation where a loss of separation has already occurred. 
So we have: 

llsll <D. 


We seek solutions where 


s • (vj, - V;) = J 


( 8 ) 
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and 


= v r 


in 2 dimensions. 


s ■ (Vo - Vi) = J, 
s • v' a = S • Vi + J, 

s x v' ox + S y v' oy = S • Vi + J, 

SyVoy — S • Vi + J S x V ox . 

We will seek solutions to this equation by squaring both sides 

{SyVoyY = (s • Vi + J — S x V ox ) . 

We will get two solutions from this quadratic equation from which we will only use 
the solution where sign(s y r>o y ) = sign(s • Vi + J — s x v' ox ). For a track only solution 
we also need to constrain the solution by 


or 

(■ y' oy ) 2 = - (O 2 - (Q) 

Substituting we have 

4( V o - Wax) 2 ) = 0 ' Vi + J - S x v' ox f. 

Rearranging 

s 2 (v ' ox ) 2 - 2(s • Vi + J)s x {v' ox ) + (s • Vi + J) 2 - s 2 y v 2 0 = 0. (10) 

which is a quadratic equation in v' ox with 

a = s 2 , 

b = -2s x (s ■ Vi + J), (11) 

c = (s • Vi + J) 2 - S 2 y V 2 0 . 

The other component v' oy can be obtained from Equation (9) as follows 

e= sign(sy) sign(-s x v' ox + (s ■ + J), ^ 

v'oy = eV v o ~ ( V ox ) 2 . 
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4.2.2 Algorithm 


The algorithm just solves the quadratic equation (10). If the discriminant of the 
equation is non-negative, then a solution is provided, otherwise a zero vector is 
returned: 


los_trk_only(s, v Q , v;, p, J) : Vect2 = 

a = s 2 

b = -2 s x (s • Vi + J), 
c = (s • Vi + J) 2 - s 2 (v 0 • v 0 ) 

IF discr(a, 6, c) > 0 THEN 
v ox = root (a,b,c,p), 

e y = sign ( Sy ) sign (-s x v' ox + (s • vj) + J) 
wv = u 2 - ( v' ox f 
IF wv > 0 THEN 
(v' ox ,e y Vuv) 

ELSE 

( 0 , 0 ) 

ENDIF 

ELSE 

( 0 , 0 ) 

ENDIF 


where root(a, b, c, p) is defined as 


—b + pVb 2 — 4ac 
2 a 


There are two solutions for p = ±1. The horizontal LoS criteria requires that 


s ' ( v o - v i) > s ' (v 0 - Vi). 
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This is trivially true if the aircraft are convergent, but when the aircraft are already 
divergent, i.e. , when s • (v Q — Vi) > 0, some additional logic is needed: 

los_to(s, v 0 , Vi, p, J) : Vect2 = 

Vq = los_trk_only(s, v 0 , Vi, />, J) 

IF v' = (0,0) THEN (0,0) 

ELSIF s • (v Q — Vi) > 0 THEN 

IF s • ( V Q — v ; ) > s • (v 0 - Vi) THEN 
/ 

v o 

ELSE 
V 0 
END IF 

ELSE 

/ 

V o 

END IF 

Coordinated divergence is guaranteed for all values of J. But how should we value 
for J that gives us good performance? The larger J, the more drastic the maneuver 
is. We would like to define a normalized version of this parameter to take on a value 
between 0 and 1. To do this we must calculate a maximum value of the dot product 
s • (y' Q — Vi) as \' Q is varied. The maximum value of the dot product occurs when 
the track angle is at the same angle as s. This follows because 

S • (v' - Vi) = 

S • V„ - S • Vi = 

||s|| ||vq|| cos0 — s • Vi 

where 9 is the angle between the vectors. The cosine achieves a maximum when v(> 
is parallel to s. 

We can then calculate a maximum value of the dot product as follows: 
maxdot(s, v Q , Vi) : posreal = 



IF s • (w - Vi) = 0 THEN 1 
ELSE |s • (w — Vi) | 

END IF 

In the rare case where the maximum dot product is 0, i.e., when s • (w — Vj) = 0, 
the returned value of 1 will result in a quadratic equation with no solution, and a 
zero vector will be returned. 

The los_to function returns two possible vectors, one for each value of p. The 
following function chooses the one that results in the smallest change from the 
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current velocity vector as follows: 


los_to_alg(s, v 0 , Vi) : Vect2 = 

D - ||s|| 

jo = maxdot(s, v G , v ; ) r) to ^ 

Vi = l0S_t0(s, V 0 , Vi, -l,j 0 ) 

v 2 = los_to(s, Vo, Vi,+l,jo) 

IF 1 1 Vi — Vo|| < ||v 2 — Vo|| THEN Vi 

ELSE V 2 

ENDIF 

The aggressiveness of the maneuver is determined by the parameter rjto and the 
distance between the aircraft: D . 

4.2.3 Correctness 

Lemma 4.4 (los_to_crit). //v^ = los_to(s, v Q , v;, p, J) is non-zero and J > 0, 
then criteria?(s, V 0 — Vi)(v(,). 

Proof. We must show that los_to satisfies the horizontal criteria (formula 1). The 
algorithm los_to calls los_trk_only with this same positive value of J. The 
function los_trk_only sets v' ox to the root of the quadratic equation (formula 10) 
when the discriminant is positive. Otherwise it returns a zero vector. It sets v oy = 
e y\/ v o ~ ( v ox) 2 - Together these insure that s • (v(, — Vi) = J > 0 and 1 1 v„ 1 1 = ||v 0 ||. 
Thus, if los_trk_only returns a non-zero vector v(j then we know that we have 
s • (v(, — Vi) = J > 0 (formula 8) which satisfies the first condition of the criteria. 
The second condition of the criteria 


s ' ( v o - v i) > s ' (v 0 - Vi) 

is guaranteed by the presence of precisely this test in the los_to function. Note 
that whenever s • (v Q — vi) is negative, this condition is true because J > 0. When 
this test fails los_to sets v(, = v Q , which trivially satisfies this condition. □ 

Lemma 4.5 (los_to_alg_crit). If~v' Q = los_to_alg(s, v Q , vi) is non-zero, then 
criteria?(s, v' Q - Vi)(v(,). 

Proof. The algorithm los_to_alg calls los_to twice for the two possible values 
of p. We end up with two vectors vl and v2 both of which meet the horizontal 
criteria by lemma los_to_crit (4.4). The function lost_to_alg returns one of 
these values, so we have the desired result. □ 

Theorem 4.6 (los_to_alg_independent). If v' 0 = los_to_alg(s, v Q , Vj) is non- 
zero, then divergent?(s, v(, — Vi). 

Proof. Lemma los_to_alg_crit (4.5) assures us that the value v(, returned by 
los_to_alg satisfies the horizontal criteria. Then by lemma criteria_independent 
(3.2) we have the needed result. □ 
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Theorem 4.7 (los to alg coordinated). Ifv' 0 = los_to_alg(s, v Q , vj) is non- 
zero, and V; = los_to_alg(— s, Vi, Vi) is non-zero, then divergent?(s, v„ — v-). 

Proof. Lemma los_to_alg_crit assures us that both v„ and v- satisfy the horizon- 
tal criteria. Then the premises of lemma criteria_coordinated (3.4) are satisfied 
and we have the desired result. □ 

4.3 Timeliness of Recovery 

In our first paper, the concept of horizontal correctness included a parameter that 
specified a maximum time to exit T/, : 

xy_correct?[T/ l ](s, Vi)(v Q ) = 

xy _divergent?(s, v Q — Vi) AND 
horizontal_separation?(s + T h (y 0 -v ; )). 

The hope was that each aircraft could independently calculate new vectors w' Q and 
v( such that 

T h > tteh(s, v(j - Vi), 

T h > tteh(— s, v- - v 0 ), 

and that together these would be sufficient to establish 

T h > tteh(s, v' Q - v-), 

which is the needed coordinated result. Unfortunately this was not the case. 

We now propose an alternative approach that exploits the aggressiveness param- 
eters r) gs and r/to ■ The idea is to achieve timeliness via iterative update. The first 
execution of the algorithm will result in a divergent solution but the divergence rate 
may be too slow. This can be determined by calculating the time to exit using the 
new vectors 

tteh(s, Vq, v() = Theta_D(s, v', vj) 

—b + \Jb 2 — 4 ac 
2 a 

where a, b, c are coefficients of a quadratic equation: 

v = v o - v 'o 

a = (v • v), 
b = 2(s • v), 
c = (s • s) — D 2 , 

If the time to exit is less than the desired time, i.e., Th, the values of r] gs and r/to 
can be increased by 5%. Of course, the iterative update should only occur after 
the aircraft has achieved the previously commanded velocity vectors. This iterative 
increase of r] gs and ijt a can continue until the desired value is reached or the maximum 
values of these parameters are reached. 
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4.4 Numerical Instability 

The calculation of the discriminant for the quadratic equation (11) for the track 
only algorithm was found to be numerically unstable in our Java implementations. 
The straight forward calculation 

b 2 — 4 ac, 

where 

a = s 2 , 

b = -2s x ( s • M), 

7i /r2 2 2 

c = M — S y V Q , 

M = S • V; + J 

results in the following subtraction 

AM 2 s 2 — AM 2 s 2 . 

Since M » 1 this can lead to a massive loss of precision when s 2 is nearly equal 
to s 2 . This occurs when s y is zero or near to zero. 

The instability manifested itself in practice in a scenario where the theoretical 
value of the discriminant was zero, i.e., s y = 0. As the intruder’s initial velocity 
vector (vj) was varied, the value of M changed. The los_to_alg failed to produce 
a solution in some cases because the calculated value of the discriminant was a small 
negative number rather than 0. As the heading of the intruder was changed, the 
los_to_alg would alternate between producing a solution and not. 

The massive cancellation can be reduced by changing the order of calculation as 
follows 

AM 2 (s 2 — s 2 ). 

Another solution is possible. In Section 4.2.1, the solution vector was obtained 
by first solving for v' ox and then v' oy was obtained from the constraint 1 1 1 1 = ||v 0 ||. 
The opposite approach can also be used: first solve for v' oy via the quadratic equation 
a{v'oy) 2 + b(v' oy ) + c = 0 where 

a = s 2 , 

b = -2s y (s ■ Vi + J), (13) 

c= (s- Vi + J) 2 -s 2 x v 2 , 

then obtain v' ox using the norm constraint as follows 

e x = sign(sa;) sign (~s y v' + (s • v ; ) + J), 

/ (14) 

v 'ox = Zx\j V l ~ {v'oy) 2 . 

So a practical approach is use the v ox quadratic (equation 10) when |s x | < |sy| and 
use the v oy quadratic (equation 13) otherwise. 
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5 Vertical Maneuvers for Loss of Separation Recovery 

We have not altered the vertical correctness properties or criteria from the original 
paper. We reproduce these here for the convenience of the reader 

5.1 Correctness Definition and Vertical Criteria 

z_correct?[T„](s, Vi)(v 0 ) = 
z_divergent?(s, v 0 — v;) AND 
vertical_separation?(s + T„(v 0 — v;), 

where 

z_divergent?(s, v) = 

Vi : t > 0 ==$■ |s z | < |s z + tv z \, 

and 


vertical _separation?(s) = |s z | > H. 

The parameter T v specifies a maximum time to recover in the vertical dimension. 

The vertical criteria is 

z_criteria?(s, v 0 , Vi)(Vo) = 

(v' oz - v iz ) + 0 AND 
z_prop?(s, Vq — Vi) AND 
(z_prop?(s, v 0 - Vi) 

((v'oz - v iz) / 0 AND signtvL - v iz) ( v'oz - v iz) > 0) OR 
(( v' oz - Viz) = o AND break_vz_symm(s) (v' oz - Vi z ) > 0), 

where z_prop? is defined as 


z_prop?(s, v) = s z v z > 0, 

and sign is the two- valued sign function: 

sign(x) = IF x > 0 THEN 1 ELSE - 1 END IF 

The break_vz_symm function is used in the rare situation where [v' oz — Vj z ) = 0 to 
overcome the symmetry. It can be any function which satisfies the following two 
properties: 


s / 0 =$■ break_vz_symm(— s) = — break_vz_symm(s), 
s z 7 ^ 0 break_vz_symm(s) = sign(s z ). 
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5.2 Vertical Algorithm 

The vertical LoS algorithm is 

z_recovery(s, v Q , Vi, t) = 

sign_vz(s, v 0 - Vi )H - s z 

nvz = 

t 

IF z_prop?(s, v 0 — Vi) AND \v z \ > |nvz| THEN 

( Vox ? Voyi Voz) 

ELSE 

(v ox , v oy , nvz + v iz ) 

END IF 

where sign_vz is 

sign_vz(s,v) = 

IF z_prop?(s, v) AND v z / 0 THEN 
sign(u z ) 

ELSE 

break_vz_symm(s) 

ENDIF 

The break_vz_symm function is defined as follows: 
break_vz_symm(s) = 

IF s z > 0 OR (s z = 0 AND s x < 0) OR (s z = 0 AND Sa, = 0 AND s y < 0) 

THEN 

1 

ELSE 
- 1 
ENDIF 

5.3 Correctness Theorems 

The vertical correctness theorems are 

z_criteria_tr?(s, v Q , vp T v ){v' 0 ) 

z_correct?[r„](s, Vi)(v^) 

and 

z_criteria_tr?(s, v Q , Vi, T v )(y' 0 ) AND 
z_criteria_tr?(— s, Vi, v Q , T„)(v-) 

z_correct?[T„](s, v()(v„). 
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The reader is referred to [1] for the proofs of correctness. 


6 Future Work 

6.1 Coordination in the Presence of Errors 

In the analysis developed in this paper we have implicitly assumed that each air- 
craft has perfect knowledge of its own and traffic aircraft locations and velocities. 
We believe that this is an appropriate first step because certainly if one does not 
understand a system under ideal conditions, its behavior under realistic conditions 
will be unfathomable. There are two aspects of data inaccuracies that we must 
be concerned with. First, errors can accumulate over time and small inaccuracies 
can grow into large ones. Second, critical decisions are often made on the basis of 
specific values of input data. For example, the system is designed to change mode 
if a specified threshold is exceeded. In the presence of data errors, it is possible for 
the measured system state to oscillate around this threshold while the true value re- 
mains below the threshold. If the decision is a coordinated decision, and the system 
is at the boundary of the decision point, the presence of data errors can destroy the 
coordination. 

The first aspect can be handled with straight-forward calculations which natu- 
rally should be checked using a theorem prover. These calculations provide a formal 
basis for slightly enlarged protection zones, e.g., 5.1 miles rather than 5 miles, which 
can largely eliminate this problem. Furthermore, if the algorithms are run iteratively 
with a short period, e.g., 1 second, then the error accumulation will be negligible. 
The error accumulation problem can be more significant in a centralized approach to 
recovery where solutions are computed on the ground and delivered to the aircraft. 

The second aspect is the more serious problem in the distributed execution 
environment. In fact there is no complete theoretical solution to this problem. The 
use of filters and dead bands can greatly reduce the impact of this problem, but 
not eliminate it entirely. However, there exist solutions where the algorithm can 
alert the pilot (or higher layers of the system) when the filtering strategy has failed. 
In this case, preplanned emergency maneuvers can be deployed. The centralized 
implementation is not subject to this problem because it computes the coordinated 
maneuvers for all of the aircraft. It is more vulnerable to the first aspect, because 
the computation of conffict-free trajectories for the N aircraft, i.e. , NxN potential 
conflicts, is inherently slower. Iteration rates of 30 seconds or more is not unlikely. 
We will defer further consideration of these issues to future work. 

6.2 Iterative Stability 

In this paper we have not analyzed the iterative stability of the algorithms. Even 
with no inaccuracies in the data, it is theoretically possible for poor algorithms to 
exhibit unacceptable discontinuous behavior as the algorithm is iteratively executed. 
In other words, it is possible that relatively small changes in the input values could 
result in resolutions that are far apart. If the algorithms are deployed in a one-shot 
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manner, this is not an issue. In this case, each aircraft computes its resolution 
only once. It make take several seconds for the aircraft to achieve the computed 
resolutions, but since the resolutions are not recomputed in the intermediate states, 
there is no real problem here. But if the algorithm is executed iteratively, it is 
important that there are not large changes in the resolutions. 

The algorithms presented in this paper have not yet been formally verified to 
be free of such problems. However, we have not witnessed any serious issues in 
our simulations except for one special case, the direct head-on case: The magenta 
aircraft with heading 243 has a track only resolution of 110 degrees 



while a small change of heading to 244 results in a track only resolution of 17 degrees. 



Here we must use a dead band of a few degrees to prevent oscillations from occurring. 
It is also essential that data errors be properly handled for special cases such as this. 
See discussion in section 6.1. 
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6.3 Completeness 

It is possible to satisfy the correctness properties by always returning a zero vector, 
since we use a zero vector to indicate the absence of a solution. The correctness 
properties only address non-zero values (See sections 4.1.3, 4.2.3). Our algorithms 
clearly do not just return a zero vector, but whether the algorithm misses some 
important cases is an important question. To answer the question the analyst must 
explore the conditions under which a zero vector is returned. For example, the 
los_gs_alg returns a zero vector when s • v Q = 0. See section 4.1.2. It also returns 
a zero vector when K = s ' Vi+J < 0. How often do these cases arise? These questions 
can be examined experimentally or formally in the context of completeness theorems. 
This type of formal analysis will be deferred to future work. 

6.4 Investigation of Appropriate Times To Exit 

In this paper we introduced two parameters that specify maximum times to exit the 
protection zone horizontally or vertically: 

• Th specifies a maximum time to recover horizontally. 

• T v specifies a maximum time to recover vertically. 

We did not provide any guidelines about appropriate values for these parameters. 
The divergence aspect of the correctness properties insures that the immediate dan- 
ger will be over once the recovery algorithm has been executed, but divergence can 
be slow when the recovery trajectories are nearly parallel. Suitable values for these 
parameters must be determined within the context of a more fully defined opera- 
tional concept. Human in the loop experiments could be performed to determine 
exit times that pilots would be comfortable with. In section 4.3, we argued that the 
recovery algorithms could be executed iteratively while making small changes to the 
J parameter to achieve the desired time to exit. Future work will investigate the 
behavior of these algorithms as they are iterated to insure that very small changes 
in J result in small changes in the recovery trajectories. 


7 Conclusion 

In this paper we have developed loss of separation algorithms for both the horizon- 
tal and vertical dimensions. The algorithms provide solutions for the track-only, 
ground speed only, and vertical-speed only cases. A theoretical framework for ana- 
lyzing these algorithms was developed and used to establish correctness properties 
about the proposed algorithms. The correctness properties require divergence and 
a timely exit from the protection zone. Central to the framework is the idea of an 
intermediate criteria which decomposes the verification process into two steps. The 
first step establishes that the criteria is sufficient to meet the correctness properties. 
This verification step has been completed in this paper. The second step shows that 
a particular algorithm meets the criteria. This must be accomplished for each new 
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algorithm that is developed. We have completed these proofs for our algorithms as 
well. 

Our correctness properties include requirements for both independent and co- 
ordinated correctness. Independent correctness requires that an algorithm recovers 
from loss of separation if only one of the aircraft maneuvers. The coordinated cor- 
rectness property requires that an algorithm recovers from loss of separation when 
both aircraft maneuver. This requires a proof that all possible combinations of 
maneuvers result in divergence and a timely exit from the protection zone. 

The formal proofs were conducted using the PVS theorem prover. Several ide- 
alistic assumptions were made in these proofs: (1) input data contains no errors, 
(2) the computations were performed with infinite precision, i.e., mathematical real 
numbers, (3) the resolution maneuvers can be performed instantaneously, and (4) pi- 
lots implement the prescribed maneuvers. Each of these assumptions can be relaxed 
by performing additional analysis, which we hope to do in the future. 
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Appendix A 


Horizontal Criteria Visualization 


The original ownship vector is displayed in blue and the original traffic vector is 
displayed in magenta. 


s D = (0 nm, 0 nm, 25000 ft) 

Sj = (1 nm, 2 nm, 25000 ft) 
v G = (60 kts,300 kts,0) 

Vj = (0 kts,300 kts,0) 

In this scenario, the track-only velocity vectors allowed by the criteria are shown in 
green. The red vectors are the los_to_alg solutions with an aggressiveness factor 
Vto = 1/3. 



If V to = 1/6, we obtain: 
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0 




In the following illustration, the ownship track = 300, ground speed = 300 kts, 
and the traffic track = 150 and ground speed = 350 kts. The separation between 
the aircraft is 4.21 nm and the vertical speed is 0 for both. 



180 
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The aggressiveness factor ?ft 0 = 1/3. This scenario requires more aggressive maneu- 
vers. The trace that arises from stepping the algorithm iteratively once per second 
is illustrated below: 




The maneuver executed was limited by a maximum turn rate corresponding to a 
bank angle of 20°. The algorithm is re-executed every iteration. Changing the traffic 
track angle to 360°, results in 
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The trace resulting from a 1 second step interval is 
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The nearly parallel lines of recovery results in a 95+ seconds time to exit. This 
indicates that an iterative increase in the J value may be needed in a situation such 
as this. Increasing the aggressiveness factor to 0.5, decreased the time to exit to 
about 60 seconds. Interestingly, changing the aggressiveness factor to 0.7 resulted 
in a major change in the ownship trajectory: 
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and a short 20 second recovery time. The behavior is very different if the algorithm 
is not recomputed at each iteration step. 
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